GAO Report Finds DoD Weapons Programs Continue to Lack Cybersecurity Guidelines

In 2018, the Government Accountability Office (GAO) reported that the DoD routinely found cyber vulnerabilities late in the development process, and despite efforts to address the problem, the DoD still has room for improvement. Even as there has been more cybersecurity testing during development than with past acquisition programs, the DoD still needs to improve weapon systems cybersecurity, the congressional watchdog noted.

In its March 2021 report, titled “WEAPON SYSTEMS CYBERSECURITY: Guidance Would Help DOD Programs Better Communicate Requirements to Contractors,” the GAO said the DoD still has failed to communicate clear cybersecurity guidelines to contracts that are tasked with building systems for its weapons programs.

“Cybersecurity requirements should be defined in acquisition program contracts, and criteria should be established for accepting or rejecting the work and for how the government will verify that requirements have been met,” the report noted. “However, GAO found examples of program contracts omitting cybersecurity requirements, acceptance criteria, or verification processes.”

The report found that in three of the five contracts reviewed by the GAO actually had no cybersecurity requirement written into the contract language at the time the award was issued. Only vague requirements were even added at a later point.

Additionally, among the military service branches, only the United States Air Force was noted for issuing service-wide guidance on cybersecurity requirements in its defense contracts.

GAO Says Room For DoD Improvement

The DoD’s acquisition programs have seen improvement, including new policies and guidance that has enhanced the weapons systems’ capabilities, but it still hasn’t addressed what might lead to acceptance or rejection of the system. At the same time, the GAO had previously found that the DoD historically focused its cybersecurity efforts towards protecting networks and traditional IT systems, and since that time, greater effort has been made to make the weapons systems less vulnerable to a cyber attack.

There is still room for improvement.

“As we reported in 2018, DoD had not prioritized weapon systems cybersecurity until recently, and was still determining how best to address it during the acquisition process,” the report noted. “The department had historically focused its cybersecurity efforts on protecting networks and traditional IT systems, but not weapon systems, and key acquisition and requirements policies did not focus on cybersecurity. As a result, DoD likely designed and built many systems without adequate cybersecurity.”

Ultimately, the GAO suggested, the DoD’s success in actually improving a weapons system’s cybersecurity would likely depend on the extent to which the military services and acquisition community execute the changes to reach better outcomes in the respective programs.

A Bigger Issue for DOD Than Weapons Systems

The DoD has largely agreed with the recommendations in the GAO report, but standardizing cybersecurity requirements will likely remain difficult as the department still needs to better communicate cybersecurity requirements and systems engineering to the users, who can then decide whether the cybersecurity risk is acceptable.

However, this is a problem that could be far bigger than just the weapons systems.

“The problem goes far beyond just the DoD weapon systems,” suggested Chris Grove, technology evangelist with Nozomi Networks.

“In many cases, the government’s cybersecurity requirements aren’t provided upfront, leaving many organizations having to face fines and other consequences later in the contracting process,” Grove told ClearanceJobs in an email.

“If the cybersecurity requirements were clear and easy to navigate for companies looking to do business with the government, more investment could be made in the private sector to accommodate the vast number of potential regulations a product might need to adhere to,” Grove added.

At issue too is the fact that additional costs and greater complexity for products sold into the government without a compensating cost reduction measure, like streamlining the regulatory processes, or providing the requirements upfront, will drive up the costs. At the same time, it won’t actually improve the security posture.

The DoD has sought to address this with the Cybersecurity Maturity Model Certification (CMMC), which is the five-level cybersecurity assessment and certification model that companies doing business with the DoD must eventually implement and adhere to throughout the duration of a contract.

“The CMMC was an excellent step in the right direction, I anticipate this report will add some tailwind to those efforts,” said Grove. “In the end, we need cyber-resiliency to be the baseline, not the end goal.”